Details of VAR-201807-2224

ID

VAR-201807-2224

TITLE

Shenzhen Hanglisheng Technology Co., Ltd. All-in-one configuration software 2.0 has a memory corruption vulnerability

Trust: 0.6

sources: CNVD: CNVD-2018-13353

DESCRIPTION

Shenzhen Hanglisheng Technology Co., Ltd. has been committed to the research and development, production and sales of industrial automation products since its establishment. The company was formerly a trading company specializing in foreign industrial control products. There is a memory corruption vulnerability in the all-in-one configuration software 2.0 of Shenzhen Hanglisheng Technology Co., Ltd. The vulnerability is due to the failure of HMICreator-V2 to verify the addressability of data in malformed project files. An attacker could use the vulnerability to read an illegal file reference in the project file, causing memory corruption. Successful exploitation of this vulnerability could also result in arbitrary code execution

Trust: 0.72

sources: CNVD: CNVD-2018-13353 // IVD: e2f7c3ee-39ab-11e9-9940-000c29342cb1

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: e2f7c3ee-39ab-11e9-9940-000c29342cb1 // CNVD: CNVD-2018-13353

AFFECTED PRODUCTS

vendor:

hanglisheng

model:

all-in-one configuration software

scope:

version:

2.0

Trust: 0.8

sources: IVD: e2f7c3ee-39ab-11e9-9940-000c29342cb1 // CNVD: CNVD-2018-13353

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2018-13353
value:	MEDIUM
Trust: 0.6
IVD:	e2f7c3ee-39ab-11e9-9940-000c29342cb1
value:	MEDIUM
Trust: 0.2

CNVD:	CNVD-2018-13353
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2f7c3ee-39ab-11e9-9940-000c29342cb1
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: e2f7c3ee-39ab-11e9-9940-000c29342cb1 // CNVD: CNVD-2018-13353

TYPE

Resource management error

Trust: 0.2

sources: IVD: e2f7c3ee-39ab-11e9-9940-000c29342cb1

PATCH

title:

Hanglisheng All-in-One Configuration Software 2.0 has a memory corruption vulnerability

url:

https://www.cnvd.org.cn/patchinfo/show/133101

Trust: 0.6

sources: CNVD: CNVD-2018-13353

EXTERNAL IDS

db:	CNVD	id:	CNVD-2018-13353	Trust: 0.8
db:	IVD	id:	E2F7C3EE-39AB-11E9-9940-000C29342CB1	Trust: 0.2

sources: IVD: e2f7c3ee-39ab-11e9-9940-000c29342cb1 // CNVD: CNVD-2018-13353

SOURCES

db:	IVD	id:	e2f7c3ee-39ab-11e9-9940-000c29342cb1
db:	CNVD	id:	CNVD-2018-13353

LAST UPDATE DATE

2022-05-17T01:41:02.804000+00:00

SOURCES UPDATE DATE

db:

CNVD

id:

CNVD-2018-13353

date:

2018-08-03T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	e2f7c3ee-39ab-11e9-9940-000c29342cb1	date:	2018-07-18T00:00:00
db:	CNVD	id:	CNVD-2018-13353	date:	2018-08-13T00:00:00